By Warren McHugh, EFA Board Member.
AI is being sold as a friendly assistant that quietly makes life easier: it writes emails, fixes code, books meetings, drafts legal notes, summarises research. The new wave of “AI agents” goes further than just suggesting things, they’re designed to act on your behalf.
The OpenClaw story shows how quickly that can slide from “helpful assistant” to “powerful tool that attackers love”, and how big AI companies seem more interested in speed to market than in safety.
This isn’t a story only for programmers. It’s about who we hand control of our devices to, the risks of handing over control, what happens when those tools are abused and whether anyone is really looking out for users.
What is OpenClaw?
OpenClaw is a type of AI agent. Instead of just answering questions in a browser, it’s designed to be wired directly into your computer and online services so it can “do things for you.”
In practice, that often means giving it access to your files, the ability to run commands on your computer and connections to services like Slack, WhatsApp, GitHub, and cloud accounts – including things like your calendar, address book, documents, and photos – all of which reveal far more about you than you might expect.
In security terms, that’s close to giving a piece of software god mode!
“God mode” here means it can do almost anything you yourself can do on your machine and connected accounts.
Supporters call this the future of productivity. Many security and privacy professionals call it something else: a security and privacy nightmare.
Think about it. If agentic AI can do everything you can do, then anyone who takes control of that tool can also do everything you can do.
Why is OpenClaw Controversial?
First is too much power, too close to the core of your life. OpenClaw is designed to run on your personal computer, with deep access. That’s very different from using a website where the AI never touches your actual files or device.
Second is the messy ecosystem around it. OpenClaw has a kind of “app store” for add‑ons (they’re called “skills”). Anyone can write these skills to extend what the agent can do, often with powerful permissions over your data and accounts. There’s no simple way for ordinary people to verify that a given skill is safe, or even that it claims to do what it claims, yet you’re asked to trust it with some of the most sensitive parts of your digital life. These quasi App Stores must ensure their products all have safety, security and privacy built in by design in order to be fit for purpose.
Security researchers looking at this ecosystem have already found technical vulnerabilities and outright malicious skills.
Technical vulnerabilities have been found in how OpenClaw communicates, which could allow outsiders to run code on your machine.
Malicious skills have been identified that behave like typical malware: stealing SSH keys (used for logging into servers securely) and other sensitive information and sending it out.
You’ve got a tool with near‑total access to your machine, plus a marketplace where strangers can publish add‑ons that extend its powers with limited oversight.
That’s a dangerous combination.
A Supply‑Chain Hit Quietly Installs OpenClaw
This all stopped being theoretical when an attack hit Cline, a popular AI coding assistant used by JavaScript/Node.js developers.
The key points are:
- Cline is a tool developers install using npm, a standard way programmers pull in software packages.
- Attackers got access to publish a new version of Cline:`[email protected]`.
- That version included a hidden instruction that said: “after installation, also install OpenClaw, globally, without asking the user.”
- The malicious version was live for around 8 hours.
- Around 4,000 machines are estimated to have installed it before it was fixed.
If you updated Cline during those hours, your machine secretly installed OpenClaw as well.
The interesting part of this is how the OpenClaw package itself wasn’t “hacked.” It was used, as‑is, as a payload!
A “payload” here just means the thing attackers want running on your machine once they get a foothold. Traditionally this has been something like an infostealer, ransomware or other kind of malware. Now they have something that can act as you and run autonomously.
If you’re not a developer, think of it like this. You update a browser extension that you trust. Unknown to you, the update also installs a powerful remote‑control tool with access to all your stuff.
That’s exactly the kind of scenario security people worry about with agents like OpenClaw. Since they are extremely powerful once installed, they are very attractive targets for attackers to drop onto machines.
OpenAI’s Mission Changes and High‑Profile Hire
This would already be a worrying story if it ended there, but we’re not finished yet.
At the same time all of this has been happening, OpenAI, the company behind ChatGPT, has been making some quiet but important shifts.
- “Safely” disappears from the mission statement: In earlier years, OpenAI’s formal mission was about building powerful AI that safely benefits all of humanity. Recently in official regulatory documents, the word “safely” has been removed or softened. Safety still appears in blog posts and presentations, but it’s not as tightly locked into the core mission language as it once was. When lawyers and regulators ask, “What is your purpose?” safety now shows up more as decoration than as the central pillar. Companies are good at following what they write into their missions, so when they rewrite those missions, it tells you something about their future priorities.
- Hiring the OpenClaw creator to lead agent work: Against this backdrop OpenAI hired Peter Steinberger, the creator of OpenClaw, and put him in charge of work on personal and multi‑agent systems. OpenAI is now supporting OpenClaw under an open‑source foundation. The company that once marketed itself as the careful, safety‑first AI lab has now hired the leading advocate of “deeply integrated agents on your device” to help build its future products.
There is a fundamental tension here as security experts are warning that highly privileged agents are risky by design and OpenAI appears to be leaning into that model as a strategic bet to stay ahead in the “AI assistant that can do everything for you” race.
Why “Regulation Is Stifling” Should Worry You
Steinberger has also been open about his frustrations with working in Europe. He has said that Europe’s labour rules (which protect workers from extreme hours and precarity), and regulations like GDPR and the EU AI Act, make it harder to move fast with aggressive AI projects.
So he moved toward the US ecosystem and OpenAI, framing it as a way to “run faster” and avoid what he sees as European “friction.”
Whatever you think about EU regulation, this pattern is familiar: when powerful, high‑risk technology emerges, some founders will seek out the places where they are least constrained and least accountable.
Often this is the clearest sign that strong rules are needed rather than an indication that regulation is unnecessary.
What Does This Mean For Ordinary Users?
You might not be a developer, but you’re still in the blast radius.
AI agents are coming fast to workplace tools (email, document editors, CRM systems), healthcare and legal support platforms, education tech and student tools, finance apps, marketing dashboards, and more.
They will increasingly sit on your device, connect to all your accounts, and act on your behalf.
A “Personal AI agent” is not a harmless assistant if a tool can read and write your files, run commands, and access your messages and cloud services.
From a risk point of view it is closer to a remote access tool than a search engine and you should treat it accordingly.
Add‑ons and “skills” are not automatically safe. If an AI agent has a marketplace of plug‑ins or “skills,” remember those are just small programs written by other people, often strangers, and they may not be heavily checked, audited, or reviewed.
The OpenClaw ecosystem already has examples of malicious skills used to steal sensitive information.
Software supply chains are now AI attack paths as the Cline incident shows. Attackers don’t need to trick you into downloading a shady file if they can instead compromise tools you already trust and use them to install powerful agents.
For non‑technical users, the important lesson is that “Automatic updates” and “one‑click installs” are great for convenience, but without strong security practices behind them, they become powerful delivery systems for abuse.
Why This Matters For Digital Rights and Policy
From a digital rights perspective, this isn’t just a story about one project gone wrong, it’s a “canary in the coal mine”.
- We’re normalising high‑risk AI agents on personal devices. Without a broad public debate, the industry is pushing the idea that it’s normal to have “always‑on” agents with deep access to your life and work.
- The incentives reward speed over care. Companies are racing to deploy ever more capable agents. Markets reward “faster” and “more powerful,” not “more cautious”, “safer” or “easier to audit.”
- Market positioning on safety are getting softer exactly when they should be firmer. Now is not the time to see safety and harm minimization toned down. If there was ever a time for safety to be front‑and‑centre in technology, it’s now.
- Regulation is treated as an obstacle, not a guardrail. When high‑profile AI founders frame labour protections and privacy laws as “stifling,” they are signalling that user rights are secondary to product velocity.
For organisations like Electronic Frontiers Australia, this raises urgent questions:
- How should AI agents be managed by future laws and regulatory policy, eg an EU equivalent Digital Services Act
- How best to regulate them to afford broad consumer protection, user privacy and security?
- What minimum safety standards must apply before agents can be shipped at scale?
- How do we provide for clear permissions, strong audit trails and limitsl, imits on what they’re allowed to do by default.
- Simple and clean UX and processes that support revocation of AI agent access and unfettered uninstallation, i.e. no “dark patterns” !.
So, Where Do We Go From Here?
One path looks like this:
- AI agents quietly become the default way we interact with computers.
- They are deeply embedded—into our documents, inboxes, chats, finances, and health data.
- Their creators are rewarded for shipping quickly and deeply integrating into our lives.
- We add another layer and revenue stream to the global surveillance based data extraction complex.
- When something goes wrong (and it will), the damage is enormous and deeply personal.
The other path is harder but safer:
- We treat AI agents that live on our devices as critical infrastructure, not toys.
- We insist on:
- least‑privilege by default (they only get the access they truly need and only for the time they need it),
- meaningful transparency (users can see and control what’s going on),
- independent oversight and real consequences when things go wrong.
- Regulators stop taking “trust us” at face value, especially from companies softening their public commitments to safety while chasing market share.
The OpenClaw and Cline incident is not the biggest data breach in history, but it is a warning shot!
When an “AI helper” designed to do everything for you can be silently installed through your normal tools, the line between assistant and attack surface has already blurred.
We don’t have to accept “move fast and break things” as the operating system for the AI age, especially when the things being broken are our security, privacy, and trust in the tools we rely on.
EFA will be watching this space closely and pushing for a future where powerful AI systems are built to serve people, not to see how much control over our digital lives we’ll hand over before we notice something is wrong.
Image source: Andrea De Santis/Unsplash